Actions
Types of Actions
An Action helps you execute specific tasks depending on your needs. There are 5 main types of actions in the playbooks:
- Interact with the platform: getters and setters
- Extract data: data collection enrichers
- Connect and use third-party applications
- Set up notifications
- Use helpers to build your own actions
The Actions Library lists all available actions in playbooks with their detailed configuration.
SEKOIA.IO Actions
Getters
| Name | Description |
|---|---|
| Get Event Field Common Values | Retrieve the most common values of an ECS field based on the time window |
| List Assets | Retrieve detailed information about assets based on a filter |
| Search Alerts | Retrieve detailed information about alerts (such as the urgency, name of the rule, etc… except events) based on a filter. |
| Get Alert | Retrieve detailed alert information such as the urgency, name of the rule, pattern, etc… except events. |
| Get Events | Retrieve events based on a search. This action is equivalent to a search on the event page and takes into consideration 3 parameters: a query with filters (source.ip=xx.xxx.xx), and earliest time/latest time: two dates to determine the date range of the search. |
Note
Get Events can be used to retrieve events from an alert. Events associated to an alert contain the key alert_short_ids with the value of the ID of the alert.
Setters
| Name | Description |
|---|---|
| Create an asset | Create an asset |
| Delete an asset | Delete an asset |
| Add attribute to asset | Add attribute to asset |
| Add key to asset | Add key to asset |
| Edit alert | Edit an alert details such as the urgency or the alert category |
| Comment alert | Add a comment to the alert |
| Update alert status | Change the status of an alert |
| Push Events to Intake | Push one or more events to an Intake |
| Attach Alerts to Case | Attach one or more alerts to a case. |
How to update an alert status
To update an alert status, you need to copy the action_uuid corresponding to the needed action.
| Action | Description | action_uuid |
|---|---|---|
| Acknowledge | Acknowledge the alert | 937bdabf-6a08-434b-b6d3-d7447e4e452a |
| Validate | Validate alert | c39a0a95-aa2c-4d0d-8d2e-d3decf426eea |
| Reject | Reject alert | ade85d7b-7507-4026-bfc6-cc006d10ddac |
| Close | Close alert | 1390be4e-ced8-4dd6-9bed-573471b235ab |
Notifications
To get notified, you can rely on these tools:
- Mandrill: Send Message
- Mattermost: Post message / Post SEKOIA.IO alert
- Pagerduty: Trigger Alert
- The Hive: Create an alert in the Hive
Data collection
If you have an account in one of the listed tools below, you can easily extract data from there and import it to SEKOIA.IO. This is made possible with an API key.
Helpers
| Name | Description |
|---|---|
| fileutils | Extract data from XML or JSON files |
| http | Request HTTP resources (download file, request URL) |
| STIX | Add source, ass tags, create relationships, cryptolaemus to STIX, CVE to STIX, filter bundle, JSON objects to observables, VirusTotal LiveHunt to observables, MISP to STIX, observables to contextualized indicators, observables to indicators, remove orphan objects, STIX to MISP, string to observables |
These helpers need their associated trigger to function properly:
| Name | Description |
|---|---|
| MISP | Gather, store, share and correlate threat intelligence. Convert from MISP to STIX, publish MISP event |
| MWDB | Convert a MWDB config to a bundle of observables |
| Triage | Triage raw results to observables |
Third-party applications
More actions are available in the Actions Library. To learn how to set up an action, please refer to its documentation.
Note
The dynamic content is written in JINJA. For more information on this language, please follow this documentation.